Trove's SSH Bastion
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
asciicast Cleaned and fixed things up. Added documentation Oct 28, 2018
config Added selective debugging to the config Jan 7, 2019
iap Allow checking email domain if HD isn't set Feb 20, 2019
monitoring Fixed collector with better data Dec 15, 2018
proxyprotocol Added prometheus monitor Dec 15, 2018
ssh Added selective debugging to the config Jan 7, 2019
web Redirect all users to bundle download Feb 1, 2019
.dockerignore Updated build steps Dec 23, 2018
Dockerfile Report shasum of build package Jan 25, 2019 Added readme Nov 5, 2018
config.example.yml Added selective debugging to the config Jan 7, 2019
main.go Added prometheus monitor Dec 15, 2018


The Trove SSH Bastion handles all authentication into remote Trove resources. The bastion supports either standalone use (single instance) or clustered mode using Google Cloud. Clustered mode takes advantage of Google TCP/HTTPS Loadbalancers, Autoscaled Instance Groups, and Identity Aware Proxy. It supports storing information either in MySQL (for clustered mode, this is necessary) or SQLite, and storing compressed SSH sessions in Google Cloud Storage.

How it works

The Bastion works by acting as a SSH Certificate Authority and uses these certificates for authorization. Certificates only live for a configurable length of time, and authorization for a user can be disabled instantly or certificates can be regenerated, removing the authenticity of old certificates. Server authorization is provided on a per-user basis by verifying the user has authorization on a connecting host/hostname basis. All actions are logged, and sessions can be joined through the web interface. Sessions are stored in the familiar Asciicast V2 format. Sessions can be disconnected mid-layer through the bastion. This is supposed to serve as a single point of access into one's private cloud, rather than the typical VPN based model. All SSH actions (to the best of my knowledge) are implemented by this proxy.

Deployment steps

Internally, we use Chef to deploy the bastion. Most of this is taken care of automatically. There is also a Dockerfile (and subsequent image) bundled with this repo that can also be used for deployment and as a binary builder.

  1. Download this repository
    • git clone
  2. Run a docker build
    • docker build -t bastion .
  3. Start the bastion
    • docker run -it --rm -p 5222:5222 -p 8080:8080 bastion


The config.example.yml file explains all of the configuration options available for this application. There is also a credentials.json file required for handling GCS credentials.